Data subjects entitled to know who receives their data
The European Court of Justice (Court) has recently ruled that the right of a data subject to access information about the processing of their personal data under the General Data Protection Regulation (GDPR) extends to the identification of the precise recipients to whom the personal data is disclosed (where requested by the data subject). Although the ruling in RW v. Österreichische Post AG (case C-154/21) is not binding on UK courts, it is interesting to consider whether this decision will be followed in the UK.
Article 15 of the GDPR
Article 15 of the GDPR provides for the right to make a data subject access request, also known as the right of access. This allows individuals to request a copy of their personal data as well as certain additional information. The right helps individuals to understand how and why their data is being used, and to check whether it is being processed lawfully. In general terms, controllers must facilitate the request and provide the information requested in a clear, concise and accessible manner.
More specifically, Article 15(1)(c) of the GDPR provides for access to "the recipients or categories of recipients to whom the personal data have been or will be disclosed...". This means that data subjects can ask the controller for information about who has received or will be receiving their personal data.
The Court’s opinion
The Court clarified that Article 15(1)(c) shall be interpreted in a way that entitles data subjects to request the actual names of the recipients of their personal data. Where it is not yet possible to identify the recipient(s), the controller may only be required to indicate the categories of the recipients in question. This is also the case where the controller demonstrates that the request is blatantly excessive or unfounded.
The Court’s judgement means that data subjects are entitled to request from controllers the precise information relating to whom their personal data has been disclosed, and this includes requesting their identities. Controllers must facilitate access and provide, upon request, the actual identities of those recipients to the data subject. The only exceptions to this obligation are if (1) it is impossible to reveal the identity of the recipient, and (2) the request is manifestly unfounded or excessive.
Comment
Whether controllers must identify each recipient or just categories of recipients has been subject to much debate. To date, controllers have, in practice, tended only to disclose the categories of recipients. Arguably this has undermined the core purpose of the right of access because it prevents the data subject from being able to understand and verify the lawfulness of the processing of their data, and ultimately evades transparency, which is inconsistent with the requirements of the GDPR.
Additionally in terms of consistency, Article 19 of the GDPR requires controllers to inform recipients of personal data if a data subject has exercised their right regarding rectification, erasure or restriction of processing. Specifically Article 19 states that "the controller shall inform the data subject about those recipients if the data subject requests it." The requirement for "those recipients” is much more specific than the open-ended “categories of recipients” in Article 15. The Court’s judgement functions to keep the wording of Articles 15 and 19 in line with each other, which promotes consistency in the reading of the GDPR.
Furthermore, the Court’s approach also falls in line with guidance previously produced by the Article 29 Working Party (now replaced by the European Data Protection Board) to the effect that controllers should provide information on recipients that is most meaningful for the data subjects and that information should be as specific as possible. Although the Working Party’s guidance is not binding, the Court’s opinion suggests thorough consideration of all relevant factors.
What does this mean for the UK?
Article 15(1)(c) of the UK GDPR is virtually identical to Article 15(1)(c) of the (EU) GDPR. Despite not being legally binding in the UK, the Court’s interpretation of the right of access may be followed in UK courts due to the UK GDPR and (EU) GDPR’s similarities. All the more so as Recital 63 of both the EU GDPR and the UK GDPR provides that data subjects should have access to data concerning the recipients of their personal data.
Although we cannot assume how much weight the Court’s judgement will hold in the UK, it would certainly be prudent for UK based data controllers to seriously consider the Court’s interpretation when dealing with access rights under Article 15(1)(c) of the UK GDPR.
If you have any queries about subject access rights under the UK GDPR, please contact a member of our Data Protection team.
This article was co-written by Ussamah Nasar, Trainee Solicitor.